modules/nixos: add backup

flake.nix

@@ -158,6 +158,7 @@
       };
 
       flake.nixosModules = {
+        backup = ./modules/nixos/backup.nix;
         buildbot = ./modules/nixos/buildbot.nix;
         builder = ./modules/nixos/builder.nix;
         community-builder = ./modules/nixos/community-builder;

hosts/build02/nixpkgs-update-backup.nix

@@ -2,37 +2,15 @@
 {
   # 100GB storagebox is attached to the build02 server
 
-  age.secrets.hetzner-borgbackup-ssh = {
+  imports = [
-    file = "${inputs.self}/secrets/hetzner-borgbackup-ssh.age";
+    inputs.self.nixosModules.backup
-  };
+  ];
 
-  systemd.services.borgbackup-job-nixpkgs-update = {
+  nixCommunity.backup = [
-    after = [ "nixpkgs-update-delete-old-logs.service" ];
+    {
-    serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ];
+      name = "nixpkgs-update";
-  };
+      after = [ config.systemd.services.nixpkgs-update-delete-old-logs.name ];
-
+      paths = [ "/var/log/nixpkgs-update" ];
-  services.borgbackup.jobs.nixpkgs-update = {
+    }
-    paths = [ "/var/log/nixpkgs-update" ];
+  ];
-    repo = "u416406@u416406.your-storagebox.de:/./nixpkgs-update";
-    encryption.mode = "none";
-    compression = "auto,zstd";
-    startAt = "daily";
-    environment.BORG_RSH = "ssh -oPort=23 -i ${config.age.secrets.hetzner-borgbackup-ssh.path}";
-    preHook = ''
-      set -x
-    '';
-
-    postHook = ''
-      cat > /var/log/telegraf/borgbackup-job-nixpkgs-update.service <<EOF
-      task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
-      EOF
-    '';
-
-    prune.keep = {
-      within = "1d"; # Keep all archives from the last day
-      daily = 7;
-      weekly = 4;
-      monthly = 0;
-    };
-  };
 }

modules/nixos/backup.nix

@@ -0,0 +1,74 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+{
+  options.nixCommunity.backup = lib.mkOption {
+    type = lib.types.listOf (
+      lib.types.submodule {
+        options = {
+          name = lib.mkOption {
+            type = lib.types.str;
+          };
+          after = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+          };
+          paths = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+          };
+        };
+      }
+    );
+
+  };
+  config = {
+    # 100GB storagebox is attached to the build02 server
+
+    age.secrets.hetzner-borgbackup-ssh = {
+      file = "${inputs.self}/secrets/hetzner-borgbackup-ssh.age";
+    };
+
+    programs.ssh.knownHosts.hetzner-storage-box = {
+      hostNames = [ "[u416406.your-storagebox.de]:23" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
+    };
+
+    services.borgbackup.jobs = builtins.listToAttrs (
+      builtins.map (backup: {
+        inherit (backup) name;
+        value = {
+          inherit (backup) paths;
+          repo = "u416406@u416406.your-storagebox.de:/./${config.networking.hostName}-${backup.name}";
+          encryption.mode = "none";
+          compression = "auto,zstd";
+          startAt = "daily";
+          environment.BORG_RSH = "ssh -oPort=23 -i ${config.age.secrets.hetzner-borgbackup-ssh.path}";
+          preHook = "set -x";
+          postHook = ''
+            cat > /var/log/telegraf/borgbackup-job-${backup.name}.service <<EOF
+            task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
+            EOF
+          '';
+          prune.keep = {
+            within = "1d"; # Keep all archives from the last day
+            daily = 7;
+            weekly = 4;
+            monthly = 0;
+          };
+        };
+      }) config.nixCommunity.backup
+    );
+
+    systemd.services = builtins.listToAttrs (
+      builtins.map (backup: {
+        name = "borgbackup-job-${backup.name}";
+        value = {
+          inherit (backup) after;
+          serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ];
+        };
+      }) config.nixCommunity.backup
+    );
+  };
+}

modules/nixos/github-org-backup.nix

@@ -7,6 +7,10 @@
 {
   # 100GB storagebox is attached to the build02 server
 
+  imports = [
+    inputs.self.nixosModules.backup
+  ];
+
   # upstream docs show how to restore these backups
   # https://github.com/gabrie30/ghorg/blob/92965c8b25ca423223888e1138d175bfc2f4b39b/README.md#creating-backups
   systemd.services.github-org-backup = {
@@ -31,37 +35,11 @@
     serviceConfig.Type = "oneshot";
   };
 
-  age.secrets.hetzner-borgbackup-ssh = {
+  nixCommunity.backup = [
-    file = "${inputs.self}/secrets/hetzner-borgbackup-ssh.age";
+    {
-  };
+      name = "github-org";
-
+      after = [ config.systemd.services.github-org-backup.name ];
-  systemd.services.borgbackup-job-github-org = {
+      paths = [ "/var/lib/github-org-backup" ];
-    after = [ "github-org-backup.service" ];
+    }
-    serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ];
+  ];
-  };
-
-  services.borgbackup.jobs.github-org = {
-    paths = [ "/var/lib/github-org-backup" ];
-    repo = "u416406@u416406.your-storagebox.de:/./github-org";
-    encryption.mode = "none";
-    compression = "auto,zstd";
-    startAt = "daily";
-    environment.BORG_RSH = "ssh -oPort=23 -i ${config.age.secrets.hetzner-borgbackup-ssh.path}";
-    preHook = ''
-      set -x
-    '';
-
-    postHook = ''
-      cat > /var/log/telegraf/borgbackup-job-github-org.service <<EOF
-      task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
-      EOF
-    '';
-
-    prune.keep = {
-      within = "1d"; # Keep all archives from the last day
-      daily = 7;
-      weekly = 4;
-      monthly = 0;
-    };
-  };
 }

modules/shared/known-hosts.nix

@@ -24,10 +24,6 @@
       hostNames = [ "darwin02.nix-community.org" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIcqYTe10t/jJitpfr0lr55lKVltAQkWiMp4tNY7mZQ";
     };
-    hetzner-storage-box = {
-      hostNames = [ "[u416406.your-storagebox.de]:23" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
-    };
     web02 = {
       hostNames = [ "web02.nix-community.org" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILAkBZMRNgsJ/IbLtjMHqBw/9+4tyn9nT+5B5RFiV0vJ";